This task is necessary to process SPNEGO web or Kerberos authentication requests to WebSphere® Application Server. You can create a Kerberos service principal name and keytab file using Microsoft® Windows®, iSeries®, Linux®, Solaris, Massachusetts Institute of Technology (MIT) and z/OS® operating systems key distribution centers (KDCs).
Creating a Kerberos service principal name and keytab file using Microsoft Windows KDC:
This task is performed on the active directory domain controller machine. Complete the following steps to ensure that the Windows 2003 Server that is running the active directory domain controller is configured properly to the associated key distribution center (KDC).
Click Start->Programs->Administrative Tools->Active Directory Users and Computers.
Use the name for WebSphere Application Server. For example, if the application server you are running on the WebSphere Application Server machine is called myappserver.austin.ibm.com, create a new user in an active directory called myappserver.
The service name for SPNEGO web authentication must be HTTP. However, the service name for Kerberos authentication can be any strings that are allowed by the KDC.
An example of the setspn command usage for SPNEGO web authentication is as follows:
C:\Program Files\Support Tools> setspn -A HTTP/myappserver.austin.ibm.com myappserver
Use the ktpass tool from the Windows Server toolkit to create the Kerberos keytab file for the service principal name (SPN). Use the latest version of the ktpass tool that matches the Windows server level that you are using. For example, use the Windows 2003 version of the tool for a Windows 2003 server.
To determine the appropriate parameter values for the ktpass tool, run the ktpass -? command from the command line. This command lists whether the ktpass tool, which corresponds to the particular operating system, uses the -crypto RC4-HMAC or -crypto RC4-HMAC-NT parameter value. To avoid warning messages from the toolkit, you must specify the -ptype KRB5_NT_PRINCIPAL parameter value.
The Windows 2003 server version of the ktpass tool supports the encryption type, RC4-HMAC, and single data encryption standard (DES). For more information about the ktpass tool, see Windows 2003 Technical Reference (Kerberos keytab file and ktpass command).
C:\Program Files\Support Tools>ktpass -? Command line options: ---------------------most useful args [- /] out : Keytab to produce [- /] princ : Principal name (user@REALM) [- /] pass : password to use use "*" to prompt for password. [- +] rndPass : ... or use +rndPass to generate a random password [- /] minPass : minimum length for random password (def:15) [- /] maxPass : maximum length for random password (def:256) ---------------------less useful stuff [- /] mapuser : map princ (above) to this user account (default: don't) [- /] mapOp : how to set the mapping attribute (default: add it) [- /] mapOp : is one of: [- /] mapOp : add : add value (default) [- /] mapOp : set : set value [- +] DesOnly : Set account for des-only encryption (default:don't) [- /] in : Keytab to read/digest ---------------------options for key generation [- /] crypto : Cryptosystem to use [- /] crypto : is one of: [- /] crypto : DES-CBC-CRC : for compatibility [- /] crypto : DES-CBC-MD5 : for compatibliity [- /] crypto : RC4-HMAC-NT : default 128-bit encryption [- /] ptype : principal type in question [- /] ptype : is one of: [- /] ptype : KRB5_NT_PRINCIPAL : The general ptype-- recommended [- /] ptype : KRB5_NT_SRV_INST : user service instance [- /] ptype : KRB5_NT_SRV_HST : host service instance [- /] kvno : Override Key Version Number Default: query DC for kvno. Use /kvno 1 for Win2K compat. [- +] Answer : +Answer answers YES to prompts. -Answer answers NO. [- /] Target : Which DC to use. Default:detect ---------------------options for trust attributes (Windows Server 2003 Sp1 Only [- /] MitRealmName : MIT Realm which we want to enable RC4 trust on. [- /] TrustEncryp : Trust Encryption to use; DES is default [- /] TrustEncryp : is one of: [- /] TrustEncryp : RC4 : RC4 Realm Trusts (default) [- /] TrustEncryp : DES : go back to DES
ktpass -out c:\temp\myappserver.keytab -princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM -mapUser myappserv -mapOp set -pass was1edu -crypto DES-CBC-MD5 -pType KRB5_NT_PRINCIPAL +DesOnly
Option | Explanation |
---|---|
-out c:\temp\myappserver.keytab | The key is written to this output file. |
-princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM | The concatenation of the user logon name, and the realm must be in uppercase. |
-mapUser | The key is mapped to the user, myappserver. |
-mapOp | This option sets the mapping. |
-pass was1edu | This option is the password for the user ID. |
-crypto DES-CBC-MD5 | This option uses the single DES encryption type. |
-pType KRB5_NT_PRINCIPAL | This option specifies the KRB5_NT_PRINCIPAL principal value. Specify this option to avoid toolkit warning messages. |
+DesOnly | This option generates only DES encryptions. |
ktpass -out c:\temp\myappserver.keytab -princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM -mapUser myappserver -mapOp set –pass was1edu -crypto RC4-HMAC -pType KRB5_NT_PRINCIPAL
Option | Explanation |
---|---|
-out c:\temp\myappserver.keytab | The key is written to this output file. |
-princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM | The concatenation of the user logon name, and the realm must be in uppercase. |
-mapUser | The key is mapped to the user, myappserver. |
-mapOp | This option sets the mapping. |
-pass was1edu | This option is the password for the user ID. |
-crypto RC4-HMAC | This option chooses the RC4-HMAC encryption type. |
-pType KRB5_NT_PRINCIPAL | This option specifies the KRB5_NT_PRINCIPAL principal value. Specify this option to avoid toolkit warning messages. |
ktpass -out c:\temp\myappserver.keytab -princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM -mapUser myappserver -mapOp set -pass was1edu -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL
Option | Explanation |
---|---|
-out c:\temp\myappserver.keytab | The key is written to this output file. |
-princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM | The concatenation of the user logon name, and the realm must be in uppercase. |
-mapUser | The key is mapped to the user, myappserver. |
-mapOp | This option sets the mapping. |
-pass was1edu | This option is the password for the user ID. |
-crypto RC4-HMAC-NT | This option chooses the RC4-HMAC-NT encryption type. |
-pType KRB5_NT_PRINCIPAL | This option specifies the KRB5_NT_PRINCIPAL principal value. Specify this option to avoid toolkit warning messages. |
Creating a Kerberos service principal name and keytab file using iSeries, Linux, Solaris and MIT KDCs:
See your Kerberos implementation documents for the kadmin, kadmin.local addprinc and ktadd commands for more detailed information.
This task is performed on a Linux, Solaris or MIT KDC machine.
WAS/testmach.austin.ibm.com kadmin.local: addprinc WAS/testmach.austin.ibm.com
kadmin.local: ktadd WAS/testmach.austin.ibm.com
Creating a Kerberos service principal name and keytab file using z/OS KDC:
Before Simple and Protected GSS-API Negotiation (SPNEGO) web authentication and Kerberos authentication can be used, the WebSphere Application Server administrator must first create a Kerberos keytab file on the host that is running WebSphere Application Server.
To create an SPN, do the following:
ALTUSER ASCR1 KERB(KERBNAME(HTTP/host1.pok.ibm.com))
ALTUSER ASCR1 PASSWORD(was1krb) NOEXPIRED ALTUSER ASCR1 NOPASSWORD
LISTUSER ASCR1 KERB NORACF USER=ASCR1 KERB INFORMATION ---------------- KERBNAME= HTTP/host1.pok.ibm.com KEY VERSION= 001 KEY ENCRYPTION TYPE= DES NODES3 NODESD
To create a Kerberos keytab (krb5.keytab) file, use the Java Kerberos ktab command, <$WAS_HOME>/java/bin/ktab, by doing the following:
(host1)CTC03:/PYRSA1/usr/lpp/zWebSphere/V7R1/java/J5.0/bin(189):>ktab -help Usage: java com.ibm.security.krb5.internal.tools.Ktab [options] Available options: -l list the keytab name and entries -a <principal_name> [password] add an entry to the keytab -d <principal_name> delete an entry from the keytab -k <keytab_name> specify keytab name and path with FILE: prefix -m <source_keytab_name> <destination_keytab_name> specify merging source keytab file name and destination keytab file name
(host1)CTC03:/PYRSA1/usr/lpp/zWebSphere/V7R1/java/J5.0/bin(201):>ktab -a HTTP/host1.pok.ibm.com@LSREALM.POK.IBM.COM ot56prod Done! Service key for principal HTTP/host1.pok.ibm.com@LSREALM.POK.IBM.COM saved
(host1)CTC03:/PYRSA1/usr/lpp/zWebSphere/V7R1/java/J5.0/bin(202):>ktab 1 entries in keytab, name: /etc/skrb/krb5.keytab KVNO Principal ---- --------- 1 HTTP/host1.pok.ibm.com@LSREALM.POK.IBM.COM
ftp> bin ftp> put c:\temp\KRB5_NT_SEV_HST\krb5.keytab
wsadmin>$AdminTask help validateKrbConfig
This is not true, however, if you have the JDK 1.6 with SR3 installed.
You have created a Kerberos service principal name and keytab file on the KDC that WebSphere Application Server uses to process SPNEGO and or Kerberos authentication requests.
In this information ...Related concepts
Related tasks
Related reference
| IBM Redbooks, demos, education, and more(Index) |